Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2008-0486 to a friend New vulnerability? New tool? Tell us	CVE-2008-0486 MPlayer Buffer Overflow Vulnerability     Credit: The information has been provided by CORE Security Technologies Advisories. The original article can be found at: http://www.coresecurity.com/?action=item&id=2103 Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2008-0486 Details Check for CVE-2008-0486 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * MPlayer version 1.0rc2 and SVN before r25917 (Tue Jan 29 22:00:58 2008 UTC)  * Xine-lib version 1.1.10 Immune Systems:  * MPlayer SVN HEAD after r25917  * MPlayer version 1.0rc2 + security patches Vendor response: A fix for this problem was committed to SVN on the MPlayer project [4]. Users of affected MPlayer versions should download a patch [5] for MPlayer 1.0rc2 or update to the latest version if they are using SVN. Technical details: The vulnerability was found in the following code, used to parse FLAC comments inside MPlayer: libmpdemux/demux_audio.c 206 case FLAC_VORBIS_COMMENT: 207 { 208 /* For a description of the format please have a look at */ 209 /* http://www.xiph.org/vorbis/doc/v-comment.html */ 210 211 uint32_t length, comment_list_len; 212 (1) char comments[blk_len]; 213 uint8_t *ptr = comments; 214 char *comment; 215 int cn; 216 char c; 217 218 if (stream_read (s, comments, blk_len) == blk_len) 219 { 220 (2) length = AV_RL32(ptr); 221 ptr += 4 + length; 222 223 comment_list_len = AV_RL32(ptr); 224 ptr += 4; 225 226 cn = 0; 227 for (; cn < comment_list_len; cn++) 228 { 229 length = AV_RL32(ptr); 230 ptr += 4; 231 232 comment = ptr; 233 (3) c = comment[length]; 234 comment[length] = 0; ... We can see in (2) that the length variable is being loaded from a position on the file stream, and then used without any validation to index the comment buffer, that was allocated from the stack in (1). This causes a stack corruption, and possibly allows code execution (e.g. modifying the value of the length variable, that is also on the stack). Example Attack Scenario: 1) The user receives an email with an attachment called e.g. goodmusic.flac. 2) The user opens the file with MPlayer or another vulnerable software. 3) This causes a stack corruption and malicious code execution on the user computer. Report Timeline  * 2007-12-18: Core Security Technologies notifies the MPlayer team of the vulnerability (no reply received).  * 2008-01-04: A new notification of the vulnerability was sent to the MPlayer team (no reply received).  * 2008-01-18: A new notification of the vulnerability was sent to the MPlayer team.  * 2008-01-18: The MPlayer team asked Core Security Technologies for technical description of the vulnerability.  * 2008-01-22: Technical details was sent to MPlayer team by Core Security Technologies.  * 2008-01-28: MPlayer notified Core Security Technologies that a fix had been produced.  * 2008-02-04: CORE-2007-1218 advisory was published. CVE Information: CVE-2008-0486  Comments on CVE-2008-0486:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®